IEEE COMMUNICATIONS LETTERS, VOL. 19, NO. 7, JULY 2015
1173
Using Distance-Bounding Protocols to Securely Verify
the Proximity of Two-Hop Neighbours
Elena Pagnin, Gerhard Hancke, and Aikaterini Mitrokotsa
Abstract—Distance-bounding protocols allow devices to cryptographically verify the physical proximity of two parties and is a
prominent secure neighbour detection method. We describe how
existing distance-bounding protocols could be modified to verify
the proximity of both next-hop and two-hop neighbours. This
approach allows a node to verify that another node is a physical
next-hop neighbour, and also detects legitimate neighbours who
make dishonest claims as to who their neighbours are. This approach could prevent dishonest neighbours from hoarding traffic
as the result of advertising false two-hop routes.
Index Terms—Wireless sensor network, distance-bounding,
secure neighbour discovery, wormhole attack.
I. I NTRODUCTION
C
OMMUNICATION in ad-hoc wireless networks relies
heavily on routing information provided by neighboring
nodes. A neighbouring communication node is in a privileged
position since it can directly influence the routing decisions
of its immediate neighbors. Thus, it is important to verify
these neighbours through secure neighbour discovery (SND)
methods [1]. Distance-bounding (DB) protocols, is a prominent
SND approach that determines an upper bound on the physical
distance between two nodes. They provide a cryptographic
proof of the neighbour’s proximity but do not consider the proximity of nodes beyond the next-hop neighbour. When building
a secure network, we should ideally not only have assurance
regarding the neighbour’s proximity but also regarding the
neighbour’s claims (i.e. authenticate the node or not).
In this letter, we introduce a new concept that extends traditional DB protocols to a two-hop setting. We propose a new
approach for designing DB protocols that would provide some
assurance regarding the physical proximity of both next-hop
and two-hop neighbours. This will not only prevent external
parties from making distant nodes appear as neighbours, but
also prevent compromised or malicious legitimate nodes from
advertising two-hop routes to nodes that are in reality much
further away. We propose the general structure of a two-hop
DB protocol and we discuss the effectiveness of this protocol
considering dishonest actions by the untrusted immediate (nexthop) and the two-hop neighboring nodes (provers).
Manuscript received March 5, 2015; accepted May 7, 2015. Date of
publication May 18, 2015; date of current version July 8, 2015. This work was
supported in part by grants from STINT (“Cross-layer authentication for wireless networks”), SNSF Sinergia (“SwissSenseSynergy”), and City University
of Hong Kong (Project No. 7200375). The associate editor coordinating the
review of this paper and approving it for publication was P. Serrano.
E. Pagnin and A. Mitrokotsa are with Chalmers University of Technology, 412 96 Gothenburg, Sweden (e-mail: [email protected]; aikmitr@
chalmers.se).
G. Hancke is with City University of Hong Kong, Kowloon Hong Kong,
(e-mail: [email protected]).
Digital Object Identifier 10.1109/LCOMM.2015.2434373
II. BACKGROUND AND P ROBLEM S TATEMENT
In this section, we provide a brief introduction to DB protocols, their limitations against wormhole attacks and the need for
two-hop DB. Furthermore, we provide the general structure of
a DB protocol, which we later use to demonstrate our two-hop
extension in Section III.
A. Distance-Bounding Protocols
DB protocols use the round-trip-time of multiple cryptographic challenge-response pairs to determine an upper bound
on the physical distance between a verifier (V) and an untrusted
prover (P). Brands and Chaum [2] have introduced the first DB
protocol to combat relay attacks in ATM systems. Numerous
DB protocols have followed, while the interest in formalizing
and analyzing the security of these protocols has grown [3]–[6].
The basic objective of a DB protocol is to protect against the
following three general threat scenarios:
1) Distance Fraud: In this fraud, a dishonest prover P tries
to prove that it is located close to V, while being far away.
2) Mafia Fraud: This attack involves an honest prover P,
an honest verifier V and an adversary A (a man-in-the-middle)
located far from V. P and V are not in close proximity, and A
tries to shorten the distance by convincing V it communicates
with P, while in reality P and V are communicating with A.
3) Terrorist Fraud: This attack involves a dishonest prover
P̃, an honest verifier V and an adversary A located far from V.
The prover P̃ is far away from the verifier V but the adversary
A is close to V. The adversary’s goal is to convince V that P̃ is
close; A achieves this by convincing V that it is communicating
with P̃ while in reality V communicates with A. However,
in this case P̃ collaborates with A but without revealing any
information about its long-term secret key to A.
In Fig. 1, we present the general structure of a DB protocol
that is resistant to all three attack scenarios. In the literature,
protocols that are terrorist-fraud resistant are mainly based on
a similar design approach [7]. Our illustrative protocol follows
this approach, which is to implement a response function where
the dishonest prover’s key is revealed if P discloses the possible
responses. The protocol can be broken down into three phases:
an initialization, a distance-bounding and a verification phase.
V and P share a secret key xVP . In the initialization phase, V
and P exchange the randomly generated nonces NV and NP
correspondingly. Both parties then calculate the response registers a0 = fxP (NP , NV ) and a1 = Enca0 (xP ), where f denotes
a pseudorandom function (PRF) and Enc is any symmetric
encryption function that would reveal the key xP if both a0 and
a1 are revealed, e.g. such an encryption function could give us
a1 = a0 ⊕ xP .
In the distance-bounding phase (composed of n time-critical
rounds), V starts its clock and sends random single-bit challenges ci ∈ {0, 1} for i ∈ {1, . . . , n} to P, while P responds
1558-2558 © 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1174
IEEE COMMUNICATIONS LETTERS, VOL. 19, NO. 7, JULY 2015
Fig. 2. A wormhole attack run by an adversary employing two malicious nodes
L1 and L2 . dV and dP indicate the communication ranges of V and P.
Fig. 1. One-hop distance bounding resistant to all three attacks.
with ri = (aci )i . As soon as V receives the response ri it stops
the clock. In the verification phase, V compares the received ri
with the expected one, determined by a0 and a1 , and if these
are correct it uses the round-trip-time ti to check whether the
response is within the maximum allowed time tmax to transmit
a message between P and V. This
protocol protects against
n
distance fraud with probability 34 , i.e., a dishonest prover
knows half the responses (where a0i = a1i ) and would need
to guess each remaining challenge correctly to preemptively
send a correct
response. The mafia fraud attack succeeds with
n
probability 34 , i.e., an attacker can pre-ask the prover for
responses—if it guesses the pre-asked challenge correctly it
wins the round, otherwise it needs to guess the response. The
protocol also protects against terrorist fraud, as the attacker
would learn the secret key if both a0 and a1 are shared with
him. P can share one register (either a0 or a1 ) without revealing
the key xVP . This would mean that A knows half the correct
responses and needs to guess the
rest. The resultant success
probability for terrorist fraud is
3
4
n
.
A wormhole is an attack strategy for undermining routing
protocols first described by Perrig et al.[8]. In this attack, an
adversary wants to convince a network node that the most
attractive route to another node is through it. This allows it
to control the communication between the two nodes, e.g., it
can modify or simply discard messages. In a wormhole attack
scenario an adversary may have compromised a node L located
in the communication range of two nodes V and P, while P is
outside the communication range of V. V wants to transmit a
message to P and verify that P is its two-hop neighbour. If V
trusts P but both P and V do not trust L then by running twice
a conventional (one-hop) DB protocol (once between V and L
and once between L and P) V could verify that indeed P is its
two-hop neighbour. However, when P is not trusted, conventional (one-hop) DB protocols cannot solve this problem. The
same problem applies when the adversary controls two nodes
L1 and L2 instead of a single node L (Fig. 2). Thus, there is a
need for a new mechanism to verify the two-hop proximity of
P by relying on an untrusted one-hop neighbour (L).
As additional motivation for the need of two-hop DB could
be considered access control problems where the prover does
not have direct access to the authenticator (access point, verifier) but has to rely in an untrusted node (in-between) node. For
instance, this could be the case for many smart devices in ubiquitous computing environments, e.g. gaining access to a printer
(printing service) if the prover can prove that it is a two-hop
neighbour to the printer i.e., lie in a specified distance within
the campus/building of a university), even without having direct
access to the printer.
III. T WO -H OP D ISTANCE B OUNDING
B. Motivation Scenarios
In this paper, we introduce for the first time the concept of
two-hop distance-bounding which extends the traditional setting of one-hop distance-bounding. In the two-hop setting, we
consider three parties: a prover P, a verifier V and an untrusted
in between node (henceforth linker) L. P and V are not in each
other’s communication range but P wants to be authenticated
by V. Two-hop distance-bounding can be employed to verify
that V is close to L and L is close to P, by measuring the
time-of-flight of the messages exchanged, between V, L and
P. Thus, V is able to calculate an upper bound on an untrusted
prover’s (P) distance that is not in its direct communication
range. We need to point out here, that we are employing twohop distance-bounding in order to verify that a prover P that
is not in the communication range of V but is actually located
in the communication range of L (V’s one-hop neighbor). Twohop distance-bounding can be useful in many different settings;
such as the detection of wormhole attacks as well as access
control scenarios when the prover is not in the range of the
verifier.
In this section we describe how DB protocols could be modified to allow a verifier V to compute a distance bound on the
next-hop node (i.e., the linker L) and the two-hop neighbouring
node (i.e., the prover P) even if both these nodes are untrusted.
We base our modifications on simple assumptions regarding the
communication model between these nodes, as shown in Fig. 3.
If the linker L is within the communication range (one-hop) of
the verifier V, both the verifier V and the prover P are within the
communication range of the linker L, and V and P are beyond
each other’s communication range (two-hop neighbours). If all
three nodes use the same communication channel, this means
that only L can receive messages sent from V, only L can
receive messages sent from P, and that anything L transmits
is received by both V and P.
Our extension of the general protocol described in
Section II-A to the two-hop case is shown in Fig. 4. We assume
that V and P share the secret key xVP while V and L share
the secret key xVL . During the initialization phase V, L and
P respectively select randomly generated nonces NV , NL and
NP . V sends NV to L and L transmits NL , which means it is
PAGNIN et al.: DISTANCE-BOUNDING PROTOCOLS TO VERIFY THE PROXIMITY OF TWO-HOP NEIGHBOURS
1175
occurring at the same time. Neither attack strategy implemented by P̃ or L̃ effectively assists the other party
and the success still depends on whether L̃ can guess i
and ri correctly. Even if L̃ realises P̃ is attempting to
be dishonest and waits for its early replies their success
depends on P̃ guessing ri correctly. The
probability of
either attack succeeding thus remains
Fig. 3. The basic two-hop node configuration - verifier V, prover P and linker L.
received by both V and P. V and L both calculate a0 and a1 ,
while the prover calculates d0 and d1 . The distance-bounding
phase starts when V generates and sends a random challengebit ci and starts two clocks tL and tP . L receives the challenge
and transmits i = (aci )i , depending on the challenge ci . V and
P receive i , with the former stopping clock tL and the latter
computing and transmitting his response ri = (di )i to L. In the
final step, L forwards ri to V who stops the clock tP . These steps
are repeated n times. In the verification phase P sends the nonce
NP along with all challenges received and the responses sent
r (this message is authenticated with a message authentication
code MAC) to V. V computes d0 and d1 and verifies that all
received i and ri , ∀i ∈ {1, . . . , n} are correct. If the verification
is successful V uses tL to bound the distance of L and tP to
bound the distance of P.
A. Security Analysis
We describe the possible threats when one or both of the
internal participants (prover P and linker L) are dishonest. Due
to space constraints we only deal with the main attack scenarios
that we expect the two-hop DB protocol to detect.
Case A–Dishonest Prover P̃, Honest Linker L: To appear
closer to L, in the DB phase P̃ has to send the fraudulent
response r̃i before it has received the challenge-bit i from L.
Since ri is determined by two response registers d0,1 P̃ knows
ri if d0i = d1i . If d0i = d1i then P̃ has
to guess the response ri .
The overall probability of success is
3
4
n
.
Case B–Honest Prover P, Dishonest Linker L̃: The dishonest linker L̃ does not need ci to determine i when a0i = a1i . It
can send i to P earlier during these rounds, obtain the correct
ri earlier and then wait for ci from V, which means it wins these
rounds. When a0i = a1i it can follow two strategies to obtain
the rest of r. The first one is to preemptively send a guessed
response r̃i , with a success probability of 12 per exchange round.
The second is to preemptively send a guessed bit ˜i to P before
the challenge ci is received, but wait until it receives ci before
sending i to V. All guesses of L̃ sent toPmust be correct (its
n
chance of guessing all the bits right is 12 ) or V will detect
the fraudulent bit(s) during the verification of the MAC from P
given that ˜i received by P is not the same as the i received by
V. Thus, the adversary’s round success probability is 1 when
a0i = a1i and 12 when a0i = a1i , with an overall probability
n
equal to 34 .
Case C–Dishonest Prover P̃, Dishonest Linker L̃: We may
discriminate into two sub-cases.
— P̃ and L̃ do not Collaborate: The probability of success
is simply whether Case A or Case B succeeds when
3
4
n
.
— P̃ and L̃ Collaborate: This sub-case is equivalent to a
single-hop terrorist fraud. P̃ assists L̃ (located close to
V) to convince V that P̃ is within the allowed distance
bound. However, the attack is seen to be unsuccessful
if P̃ reveals any information about his secret key xP .
During the initialisation phase P̃ sends one of d0 or d1
to L̃, thus not revealing any information about his key. L̃
can now calculate half of the responses ri correctly and
send them in time to V. L̃ would need to correctly guess
the responses generated from the other
nregister. Thus, the
success probability of the attack is 34 .
B. Discussion
n
The attacker’s probability of success is 34
in Case A,
Case B, and in Case C. This is comparable to the success
probabilities of the original one-hop DB protocol, and it appears
as if the modification does not introduce any significant weakness. The additional effort required of each node is minimal.
In the original one-hop protocol each entity has to send one
conventional message, participate in a distance-bounding phase
and calculate responses. In the extended protocol, the prover
does not perform any additional actions, the linker needs to send
one extra message to relay the prover’s final message, and the
verifier needs to calculate both a0,1 and d0,1 .
IV. R ELATED W ORK
Current DB protocols mostly consider a single prover bounding the distance of a single verifier. None of these proposals
provide non-repudiation of the distance-bound between two
parties to any third (untrusted) party. Our proposal allows the
verifier to determine a distance bound on the linker (next-hop
node) and verify the validity of the distance bound between the
linker and the prover, even though the linker is not trusted. One
interesting divergence from the two-party distance-bounding
approach is performing distance-bounding with multiple parties
[9]. This group distance-bounding verifies that all the parties are
in close proximity. However, this still requires all the parties in
the group to be able to communicate directly with each other
to be able to complete the protocol. Our proposal allows for a
verifier to verify that two nodes are in close proximity (nexthop and two-hop) without directly communicating with the
two-hop node. Centralized SND approaches can verify more
than just next-hop neighbours but are based on the assumption
that there are many nodes that can collaborate and aggregate
data to a central system controller [10]. This approach often
involves location-based methods that require the physical location of each node to be known [8]. Determining the location
of a node requires additional network infrastructure and resources, especially indoors where Global Positioning Systems
(GPS) are not as effective, while a system wide localization
scheme still relies on accurate node-level neighbour detection
to build secure connectivity maps [11]. There are several secure
1176
IEEE COMMUNICATIONS LETTERS, VOL. 19, NO. 7, JULY 2015
Fig. 4. Two-hop distance-bounding protocol.
localization schemes that use DB protocols for the underlying
distance estimation between nodes [12]. Our approach does not
compete with these centralised approaches and can potentially
assist them by allowing individual nodes to securely verify the
proximity of next-hop and two-hop nodes.
V. C ONCLUSION
In this paper, we introduce the concept of two-hop distancebounding and propose a method based on which existing DB
protocols could be modified to provide assurance regarding the
physical proximity of both next-hop and two-hop neighbours.
To illustrate our idea we presented the general structure of a DB
protocol and extended it to the two-hop setting. We performed
a security analysis of the introduced protocol when the internal
parties (P and L) are dishonest. Future work could consider
whether the two-hop scenario introduces any new attack scenarios and perform a detailed study on the implications for
security if the protocol needs to accommodate bit errors during
the DB phase. More precisely, the proposed protocol could be
rendered resistant to bit errors through the use of an acceptance
threshold of erroneous responses, but it would be interesting
to see if there are any implications if two channels are used
(e.g., if i should be transmitted twice). In addition, this analysis
should take into consideration the recent point made by Hancke
[13] that designing DB protocols resistant to terrorist fraud
is significantly weakened by error resistance, as a prover is
potentially able to keep its key secret or hinder an attacker from
learning its key.
R EFERENCES
[1] M. Potularski, P. Papadimitratos, and J.-P Hubaux, “Secure neighbour
discovery in wireless networks: Formal investigation of possibility,” in
Proc. ASIACCS, 2008, pp. 189–200.
[2] S. Brands and D. Chaum, “Distance-bounding protocols (extended abstract),” in Proc. EUROCRYPT, 1993, pp. 344–359.
[3] G. Avoine, M. A. Bingöl, S. Kardas, C. Lauradoux, and B. Martin, “A
framework for analyzing RFID distance bounding protocols,” J. Comput.
Security, vol. 19, no. 2, pp. 289–317, Apr. 2011.
[4] C. Dimitrakakis, A. Mitrokotsa, and S. Vaudenay, “Expected loss analysis
for authentication in constrained settings,” J. Comput. Security, DOI:
10.3233/JCS-140521, to be published.
[5] I. Boureanu, A. Mitrokotsa, and S. Vaudenay, “Practical & probably secure distance bounding,” J. Comput. Security, DOI: 10.3231/JCS-140518,
to be published.
[6] A. Mitrokotsa, P. Peris-Lopez, C. Dimitrakakis, and S. Vaudenay, “On
selecting the nonce length in distance-bounding protocols,” Comput. J.,
vol. 56, no. 10, pp. 1216–1227, Oct. 2013.
[7] J. Reid, J. M. Nieto, T. Tang, and B. Senadji, “Detecting relay attacks with
timing-based protocols,” in Proc. ASIACCS, 2007, pp. 204–213.
[8] Y. -C Hu, A. Perrig, and D. B. Johnson, “Packet leashes: A defense against
wormhole attacks in wireless networks,” in Proc. IEEE INFOCOM, 2003,
vol. 3, pp. 1976–1986.
[9] S. C̆apkun, K. Defrawy, and G. Tsudik, “Group distance bounding protocols,” in Proc. TRUST, 2011, vol. 6740, LNCS, pp. 302–312.
[10] Z. Li, W. Trappe, Y. Zhang, and B. Nath, “Robust statistical methods for
securing wireless localization in sensor networks,” in Proc. IEEE ISPN,
2005, pp. 91–98.
[11] A. Boukerche, H. Oliveira, E. Nakamura, and A. Loureiro, “Secure localization algorithms for wireless sensor networks,” IEEE Commun. Mag.,
vol. 46, no. 10, pp. 96–101, Oct. 2008.
[12] S. C̆apkun and J. Hubaux, “Secure positioning in wireless networks,” IEEE J. Sel. Areas Commun., vol. 44, no. 2, pp. 221–232,
Oct. 2006
[13] G. Hancke, “Distance-bounding for RFID: Effectiveness of terrorist fraud
in the presence of bit errors,” in Proc. RFID-TA, 2012, pp. 91–96.